bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
Size

4.1MB
MD5

89df799cf37fce3f2bbe8951efe90d65
SHA1

d02d92698d97481df3d03f40cd6484155e5352b2
SHA256

bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc
SHA512

91464bbde5c7ac1fd6a222efde9451d1f634764b1f31f44314bb80aa7e41a78436d7f611527dd4053b76d7e17bc25402bf02c26a321cc713bf35c3769e6519fd
SSDEEP

98304:+R0pI/IQlUoMPdmpSpK4ADtnkgvNWlw6aTfN41v:+R0pIAQhMPdmp5n9klRKN41v

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2780	xoptiec.exe

Loads dropped DLL 1 IoCs

pid	Process
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\Files7L\\xoptiec.exe"	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBK7\\optixloc.exe"	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
2780	xoptiec.exe
2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2780	2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe	28
PID 2172 wrote to memory of 2780	2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe	28
PID 2172 wrote to memory of 2780	2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe	28
PID 2172 wrote to memory of 2780	2172	bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe	28

C:\Users\Admin\AppData\Local\Temp\bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe
"C:\Users\Admin\AppData\Local\Temp\bf91865ce361bba3a958d9760db41f943b7e0fb2905f3fd1a7cf1a7cc76625bc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Files7L\xoptiec.exe
  C:\Files7L\xoptiec.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\KaVBK7\optixloc.exe

Filesize
32KB

MD5
ae489513a0f3d7c7f8c9b70adff0ab85

SHA1
03cdf40dbaab6dc69db20669eeb828beae339ab1

SHA256
cd18ab11ab465bcc490e3dacc862a43aa60ded6ec3e898eeae8ed188e9e61041

SHA512
c2e8764946765041a009a002dba4d417a0d09a368778eaa019eacaf2c149b6ee59a43fd1313141cee39e0e21ceed28b1fe96bb194604270c9884e340fb161ade

Download Submit
C:\KaVBK7\optixloc.exe

Filesize
4.1MB

MD5
0abafef79633400a122d14486e4e683e

SHA1
a47807b307d080fa15005186526933c0d2726a42

SHA256
b797a52bf0a8e5cba5ed77e496057f05ce9d7717a0e4b6698e13817bb1a43bf7

SHA512
284f74db57a0e35ba017b2ce3423991cb7a910edd869c7dab42d7c506f69f5df9a0fad9aab4304d7f1e724918deda263cf2e842d96a135da35268028313c9218

Download Submit
C:\Users\Admin\253086396416_6.1_Admin.ini

Filesize
202B

MD5
7f5650dd5bd05d13f7fa62163ad9fc9c

SHA1
53a99d93c8ea5baa82db47417306bc570bda4d27

SHA256
f44c6cba788d120c8ef52671ce4d74a37db617a25bddb45ffc21fe6dfdd0a987

SHA512
c2aaf189b3b1f879851454c04d567829f8b2dd15d03ab6ce6a55cee3cb96bd4ecab98788aac02428ed7645ce577c687578d77eebc7988291934ad148558e7de6

Download Submit
\Files7L\xoptiec.exe

Filesize
4.1MB

MD5
cbb67c9c5d8804167943b8c171155d11

SHA1
a14714e9a331ff0a357fae50b8ace516e7b27188

SHA256
0dc8bafefef79ece42f0bb8c2971e9495c2b804859e054ae96c12912944bbb48

SHA512
d880f02148ee29a385a58251bcd67e8b8ce4bc85ea5c656af670ad903d6225369227e699cdbeaddcf06af2d31a2a3483e18171b4a88f2481daf6435d2f8b6590

Download Submit